How to go through a company proxy with ssh ?

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

How to go through a company proxy with ssh ?

Teggy P Veerapen
Hello,

I am trying to figure out how to connect to a remote ssh server (in fact to my
home pc which is hosting cygwin/sshd server) with the standard ssh client
coming with cygwin and I need to go through my company proxy. In fact I have
happily been using the cygwin/ssh client and cygwin/sshd server configuration
with my previous company which didn't have any proxy whereas with my current
company, all internet traffic goes through the proxy server.

I have done some search on the internet on such issue and I have read about the
ProxyCommand in ssh configuration and a tool called netcat (or nc) but it would
seem that only the openbsd version of nc will do the trick (the version found in
cygwin packages won't be of any help).

I was wondering that since cygwin setup software is able to nicely connect to
the internet via a proxy when using the option "Use IE5 Settings", there should
be a way to tell ssh client to use IE5 settings when connecting to the ssh
server ...

Any help and or pointer to such issue is most welcome,

Cheers,

Teggy

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

DePriest, Jason R.
On 10/25/06, Teggy P Veerapen <> wrote:
> Hello,
>
> I am trying to figure out how to connect to a remote ssh server (in fact to my
> home pc which is hosting cygwin/sshd server) with the standard ssh client
> coming with cygwin and I need to go through my company proxy.
...
> I have done some search on the internet on such issue and I have read about the
> ProxyCommand in ssh configuration

I use corkscrew (http://www.agroman.net/corkscrew/) to make use of the
ProxyCommand feature in my ~/.ssh/config file.

It works great.

-Jason

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

Wynfield Henman
I don't know about corkscrew, but some variation of the below which I
use may be helpful to you.

Regards,
  Darel Henman
--------------------------------------------------
                # Example:
                ## Get connect (small yet good)
                #  wget http://www.taiyo.co.jp/~gotoh/ssh/connect.c
                #
                ## Compile it
                # gcc connect.c -o connect
                ## Install it somewhere in your path
                # install -m 755 connect /bin
               
                ## Configure SSH (example)
                ## set up ~/.ssh/config.txt or config
                ## so it can go through your proxy.
                # overwrites you .../.ssh/config (or edit)
                cat <> ~/.ssh/config
                Host xxx.connect_to_host.yyy.com
                     ProxyCommand connect -H
proxy-2.your-company-proxy-nameoraddress:8080 %h %p
                 EOF
# the 8080 is the proxy port addr.  use whatevery
# your company uses:  You may have to look into
# your http://proxy-2.xxx:50081/proxy.pac file to find the a proxy
direct address....

At this point you might try:
    ssh -p 443 <arguments-if-any>

#END
----------------------------------------------------

On 10/26/06, DePriest, Jason R. <[hidden email]> wrote:

> On 10/25/06, Teggy P Veerapen <> wrote:
> > Hello,
> >
> > I am trying to figure out how to connect to a remote ssh server (in fact to my
> > home pc which is hosting cygwin/sshd server) with the standard ssh client
> > coming with cygwin and I need to go through my company proxy.
> ...
> > I have done some search on the internet on such issue and I have read about the
> > ProxyCommand in ssh configuration
>
> I use corkscrew (http://www.agroman.net/corkscrew/) to make use of the
> ProxyCommand feature in my ~/.ssh/config file.
>
> It works great.
>
> -Jason
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>
>

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

DePriest, Jason R.
On 10/25/06, Wynfield Henman <> wrote:
> I don't know about corkscrew, but some variation of the below which I
> use may be helpful to you.
>
> Regards,
>   Darel Henman
> --------------------------------------------------
>                 # Example:
>                 ## Get connect (small yet good)
>                 #  wget http://www.taiyo.co.jp/~gotoh/ssh/connect.c

I've used this one, too.  They both work about the same.

The important part is "they both work!"

-Jason

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

tve
Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

tve
In reply to this post by Teggy P Veerapen
Hi,

Thanks guys for all these informations ... In fact, I have tried both solutions
connect and corkscrew but I haven't been able to connect through the proxy with
neither utility. I am getting a forbidden message and if I turn debug option on
when using connect, I get something like that:

---8<---------------
...
DEBUG: begin_http_relay()
DEBUG: >>> "CONNECT 82.231.204.246:80 HTTP/1.0rn"
DEBUG: >>> "rn"
DEBUG: <<< "HTTP/1.0 403 Forbiddenrn"
DEBUG: http proxy is not allowed.
FATAL: failed to begin relaying via HTTP.
ssh_exchange_identification: Connection closed by remote host
---8<---------------

I would presume that the proxy is somehow checking that http requests are going
through and all it's seeing is ssh requests. Does that seem plausible to you
that the proxy is indeed checking the request ?

Or am I making a mistake when using the utility (configuration seems fairly
simple and straightforward to me) ?

Here is what I have in $HOME/.ssh/config
---8<---------------
host a.b.c.d
    port 80
    identityfile /cygdrive/c/teggy/dev/privkey.txt
#   ProxyCommand corkscrew genproxy 8080 %h %p
    ProxyCommand connect -d -H genproxy:8080 %h %p
---8<---------------

and I am running the following command:
$ ssh a.b.c.d

If you have any other solution, I'll be glab to hear about it. Otherwise I'm
thinking about using http tunnel ... Any recommendation ?

ps: Apologies if this message is not attached the thread; but I couldn't make a
reply to previous posts since I was not subscribed to the mailing list.

Cheers,

Teggy

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

Brett Serkez-2
<snip>
> Thanks guys for all these informations ... In fact, I have tried both solutions
> connect and corkscrew but I haven't been able to connect through the proxy with
> neither utility. I am getting a forbidden message and if I turn debug option on
> when using connect, I get something like that:
<snip>

While this is being addressed as a technical issue, the proxy server
is presumably used to implement company policy.  While you will likely
succeed in circumventing the proxy server, will this put you in
violation of company policy?  What might the consequences be if a
threat entered the company network via this circumvention?  What will
you say to management if they question why you circumvented the proxy
server?

Just food for thought....

Brett

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

Robert McKay
In reply to this post by tve
On 10/26/06, Teggy P Veerapen <[hidden email]> wrote:

> Hi,
>
> Thanks guys for all these informations ... In fact, I have tried both solutions
> connect and corkscrew but I haven't been able to connect through the proxy with
> neither utility. I am getting a forbidden message and if I turn debug option on
> when using connect, I get something like that:
>
> ---8<---------------
> ...
> DEBUG: begin_http_relay()
> DEBUG: >>> "CONNECT 82.231.204.246:80 HTTP/1.0rn"
> DEBUG: >>> "rn"
> DEBUG: <<< "HTTP/1.0 403 Forbiddenrn"
> DEBUG: http proxy is not allowed.
> FATAL: failed to begin relaying via HTTP.
> ssh_exchange_identification: Connection closed by remote host
> ---8<---------------
>
> I would presume that the proxy is somehow checking that http requests are going
> through and all it's seeing is ssh requests. Does that seem plausible to you
> that the proxy is indeed checking the request ?
>
> Or am I making a mistake when using the utility (configuration seems fairly
> simple and straightforward to me) ?
>

While this is probably straying off-topic for the cygwin mailinglist..

The forbidden error is likely because you are trying to connect to
port 80 rather than port 443 (the https port). Try running sshd on
port 443 instead (simply add another listen directive to your
sshd_config file. Port 443 is often the only port you are allowed to
'CONNECT' to.

I've actually developped a novel hack to use http proxies that doesn't
use CONNECT but rather the standard GET and POST requests. It just
uses two simultaneous http requests (one always GETing the other
always POSTing).

http://wari.mckay.com/~rm/proxy2ssh/

You'll also see a simple CONNECT script there as well that uses nc.
I've used both scripts under cygwin without difficulty.

Regards,

Robert.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

M. Edward (Ed) Borasky
In reply to this post by Brett Serkez-2
Brett Serkez wrote:
> While this is being addressed as a technical issue, the proxy server
> is presumably used to implement company policy.  While you will likely
> succeed in circumventing the proxy server, will this put you in
> violation of company policy?  What might the consequences be if a
> threat entered the company network via this circumvention?  What will
> you say to management if they question why you circumvented the proxy
> server?
>
> Just food for thought....

Amen! In fact, I've found the IT people where I work will bend over
backwards to get you the "unusual" things you need to do your job,
especially if both they and your manager agree you don't have a
practical alternative.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

DePriest, Jason R.
On 10/26/06, M. Edward (Ed) Borasky <> wrote:

> Brett Serkez wrote:
> > While this is being addressed as a technical issue, the proxy server
> > is presumably used to implement company policy.  While you will likely
> > succeed in circumventing the proxy server, will this put you in
> > violation of company policy?  What might the consequences be if a
> > threat entered the company network via this circumvention?  What will
> > you say to management if they question why you circumvented the proxy
> > server?
> >
> > Just food for thought....

"Business need" always trumps "security" in my experience.  That's why
I work in IT Risk Management instead of Data Security.

Regardless, here is how my corkscrew is set up to work properly.

We have Blue Coat proxies that require authentication (tied to active
directory).

I have a file called ~/.ssh/jrdepriest.auth that has a single line:
proxy_user:proxy_pass (obviously with the actual user name and password)

My ~/.ssh/config file has a section ike this:
Host ww.xx.yy.zz
  Connection Attempts 5
  ConnectionTimeout 10
  Protocol 2,1
  LogLevel DEBUG3
  ProxyCommand /usr/local/bin/corkscrew proxy.domain.com:8080 %h %p
~/.ssh/jrdepriest.auth

When I run ssh [hidden email], it automatically invokes the
corkscrew command which reads my user name and password from the auth
file and sends the information to port 8080 on our proxy server (HTTP,
not HTTPS or SOCKS or FTP which are also all available).

It just works.

-Jason

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

Wynfield Henman
>   ProxyCommand /usr/local/bin/corkscrew proxy.domain.com:8080 %h %p

The above looks good.


> ~/.ssh/jrdepriest.auth

I don't know about the above, I jus t use   "id_dsa.pub"  for cvs access

> When I run ssh [hidden email], it automatically invokes the
> corkscrew command which reads my user name and password from the auth> file and sends the information to port 8080 on our proxy server (HTTP, > not HTTPS or SOCKS or FTP which are also all available).

Did you try adding the specific port:   ssh -p 443 [hidden email]   ?
with no changes to the  ~/.ssh/config file

Regards,

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

Igor Peshansky
In reply to this post by tve
On Thu, 26 Oct 2006, Teggy P Veerapen wrote:

> [snip]
> ps: Apologies if this message is not attached the thread; but I couldn't
> make a reply to previous posts since I was not subscribed to the mailing
> list.

<http://cygwin.com/ml/cygwin/2004-09/msg00989.html>.
HTH,
        Igor
--
                                http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_    [hidden email] | [hidden email]
ZZZzz /,`.-'`'    -.  ;-;;,_ Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-' old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte."
"But no -- you are no fool; you call yourself a fool, there's proof enough in
that!" -- Rostand, "Cyrano de Bergerac"

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

tve
Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

tve
Great stuff Igor,

Last time I was desperately looking for the msg num; now I know how to get it
...

Thousand of thanks for that :)

Cheers,

Teggy


Selon Igor Peshansky <[hidden email]>:

> On Thu, 26 Oct 2006, Teggy P Veerapen wrote:
>
> > [snip]
> > ps: Apologies if this message is not attached the thread; but I couldn't
> > make a reply to previous posts since I was not subscribed to the mailing
> > list.
>
> <http://cygwin.com/ml/cygwin/2004-09/msg00989.html>.
> HTH,
> Igor
> --
> http://cs.nyu.edu/~pechtcha/
>       |\      _,,,---,,_    [hidden email] | [hidden email]
> ZZZzz /,`.-'`'    -.  ;-;;,_ Igor Peshansky, Ph.D. (name changed!)
>      |,4-  ) )-,_. ,\ (  `'-' old name: Igor Pechtchanski
>     '---''(_/--'  `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!
>
> "Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends
> compte."
> "But no -- you are no fool; you call yourself a fool, there's proof enough in
> that!" -- Rostand, "Cyrano de Bergerac"
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

tve
Reply | Threaded
Open this post in threaded view
|

Re: How to go through a company proxy with ssh ?

tve
In reply to this post by Robert McKay
Yes indeed, I was going through port 80 instead of port 443 thinking that both
were processed in exactly the same way by the proxy. But when reading your
website, I understood my error.

Thanks for this small bit of information ... Small bit indeed but how useful it
has been :)

Cheers,

Teggy


Selon Robert McKay <[hidden email]>:

> On 10/26/06, Teggy P Veerapen <[hidden email]> wrote:
> > Hi,
> >
> > Thanks guys for all these informations ... In fact, I have tried both
> solutions
> > connect and corkscrew but I haven't been able to connect through the proxy
> with
> > neither utility. I am getting a forbidden message and if I turn debug
> option on
> > when using connect, I get something like that:
> >
> > ---8<---------------
> > ...
> > DEBUG: begin_http_relay()
> > DEBUG: >>> "CONNECT 82.231.204.246:80 HTTP/1.0rn"
> > DEBUG: >>> "rn"
> > DEBUG: <<< "HTTP/1.0 403 Forbiddenrn"
> > DEBUG: http proxy is not allowed.
> > FATAL: failed to begin relaying via HTTP.
> > ssh_exchange_identification: Connection closed by remote host
> > ---8<---------------
> >
> > I would presume that the proxy is somehow checking that http requests are
> going
> > through and all it's seeing is ssh requests. Does that seem plausible to
> you
> > that the proxy is indeed checking the request ?
> >
> > Or am I making a mistake when using the utility (configuration seems fairly
> > simple and straightforward to me) ?
> >
>
> While this is probably straying off-topic for the cygwin mailinglist..
>
> The forbidden error is likely because you are trying to connect to
> port 80 rather than port 443 (the https port). Try running sshd on
> port 443 instead (simply add another listen directive to your
> sshd_config file. Port 443 is often the only port you are allowed to
> 'CONNECT' to.
>
> I've actually developped a novel hack to use http proxies that doesn't
> use CONNECT but rather the standard GET and POST requests. It just
> uses two simultaneous http requests (one always GETing the other
> always POSTing).
>
> http://wari.mckay.com/~rm/proxy2ssh/
>
> You'll also see a simple CONNECT script there as well that uses nc.
> I've used both scripts under cygwin without difficulty.
>
> Regards,
>
> Robert.
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/